Topics: Monitoring, PowerHA / HACMP, Security
HACMP 5.4: How to change SNMP community name from default "public" and keep clstat working
HACMP 5.4 supports changing the default community name from "public" to something else. SNMP is used for clstatES communications. Using the "public" SNMP community name, can be a security vulnerability. So changing it is advisable.
First, find out what version of SNMP you are using:
# ls -l /usr/sbin/snmpd(In this case, it is using version 3).
lrwxrwxrwx 1 root system 9 Sep 08 2008 /usr/sbin/snmpd -> snmpdv3ne
Make a copy of your configuration file. It is located on /etc.
/etc/snmpd.conf <- Version 1Edit the file and replace wherever public is mentioned for your new community name. Make sure to use not more that 8 characters for the new community name.
/etc/snmpdv3.conf <- Version 3
Change subsystems and restart them:
# chssys -s snmpmibd -a "-c new"Test using your locahost:
# chssys -s hostmibd -a "-c new"
# chssys -s aixmibd -a "-c new"
# stopsrc -s snmpd
# stopsrc -s aixmibd
# stopsrc -s snmpmibd
# stopsrc -s hostmibd
# startsrc -s snmpd
# startsrc -s hostmibd
# startsrc -s snmpmibd
# startsrc -s aixmibd
# snmpinfo -m dump -v -h localhost -c new -o /usr/es/sbin/cluster/hacmp.defs nodeTableIf the command hangs, something is wrong. Check the changes you made.
If everything works fine, perform the same change in the other node and test again. Now you can test from one server to the other using the snmpinfo command above.
If you need to backout, replace with the original configuration file and restart subsystems. Note in this case we use double-quotes. There is no space.
# chssys -s snmpmibd -a ""Okay, now make the change to clinfoES and restart and both nodes:
# chssys -s hostmibd -a ""
# chssys -s aixmibd -a ""
# stopsrc -s snmpd
# stopsrc -s aixmibd
# stopsrc -s snmpmibd
# stopsrc -s hostmibd
# startsrc -s snmpd
# startsrc -s hostmibd
# startsrc -s snmpmibd
# startsrc -s aixmibd
# chssys -s clinfoES -a "-c new"Wait a few minutes and you should be able to use clstat again with the new community name.
# stopsrc -s clinfoES
# startsrc -s clinfoES
Disclaimer: If you have any other application other than clinfoES that uses snmpd with the default community name, you should make changes to it as well. Check with your application team or software vendor.
If you found this useful, here's more on the same topic(s) in our blog:
- HACMP Event generation
- "Bootpd: Received short packet" messages on console
- mkpasswd
- Specifying the default gateway on a specific interface
- Securely enabling SNMP on Red Hat
UNIX Health Check delivers software to scan Linux and AIX systems for potential issues. Run our software on your system, and receive a report in just a few minutes. UNIX Health Check is an automated check list. It will report on perfomance, capacity, stability and security issues. It will alert on configurations that can be improved per best practices, or items that should be improved per audit guidelines. A report will be generated in the format you wish, and the report includes the issues discovered and information on how to solve the issues as well.
Interested in learning more?
Interested in learning more?
